On 4/8/2015 10:06 PM, John Levine wrote:
I updated my conditional signature draft, which is now (thanks to a
suggestion from Ned Freed) the mandatory tag draft.
https://tools.ietf.org/html/draft-levine-dkim-conditional-01
The idea is that you have a weak signature on To, From, Date,
Message-ID but not subject or body, with a new tag that says the
signature is only valid if it's also signed by a specified other
party, who would be the entity that you expect to forward the message.
So I send a message signed like this:
From: [email protected]
To: [email protected]
DKIM-Signature: ...; d=taugh.com; ... ordinary good strong signature
DKIM-Signature: ...; d=taugh.com; @fs=ietf.org; ... weak signature, not good
yet
The list does what it does to the message, and now it's signed like this:
From: [email protected]
To: [email protected]
DKIM-Signature: ...; d=taugh.com; ... broken strong signature
DKIM-Signature: ...; d=taugh.com; @fs=ietf.org; ... weak signature, good
because it's also signed by ietf.org
DKIM-Signature: ...; d=ietf.org; ... new good strong signature
Good idea.
The outbound signer will create two signatures; a weak 1st party to
satisfy the DMARC alignment, and the 2nd signature has a "@fs=" tag
identifying the PENDING authorized 3rd party signer.
The 3rd party signer will do its natural thing and sign the mail as a
3rd party signer. However, it MUST KEEP the other signatures. Do not
remove the previous signatures, in particular the weak 1st party
signature.
The receiver will now have two signatures:
- 1st party signature with @fs pointing to the 3rd party signature.
- 3rd party signature
New DMARC receivers following this idea will check for a two
signatures requirement in order to pass this test. The 1st party
authorizes the 3rd party with the @fs= tag.
Old DMARC receivers SHOULD NOT fail because it sees a valid WEAK first
party signature. However, depending on the implementation it COULD
see a 3rd party signature as an violation of the exclusive DKIM 1st
party only signing requirement. In other words, there should be no
"Indirect" indicators in the mail. Having a 3rd party signature
MAY/CAN BE leveraged for bad mail, unexpected "indirect" mail filtering.
Across the board, unlike ATPS, this idea has more change requirements
at signers, receivers and also MLS software to make sure they do not
strip the weak 1st party signature.
For the signers, like ATPS, there is still a scale problem here for
the big guys with thousands of list domains. How will the signing
machines determine which messages are for list domains?
Overall, its a good idea, but its still a lot of work, more so than
ATPS requires. This idea requires the signers, receiver and the MLS to
adapt to new rules. I still think it is easier for the domain to
publish a 3rd party authorization record and for any receiver to do
3rd party signature DNS authorization checks w/o 1st party records.
No overhead and complexity in DKIM signing and receiver machine change
required.
--
HLS
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
